feat: support --failOn options for snyk-delta & CLI

* fix: package.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-NCONF-2395478 * fix: package.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ASYNC-2441827 * feat: update snyk delta and relevant tests * chore: drop snyk org + mark not maintained * fix: upgrade axios from 0.26.1 to 0.27.2 Snyk has created this PR to upgrade axios from 0.26.1 to 0.27.2. See this package in npm: https://www.npmjs.com/package/axios See this project in Snyk: https://app.snyk.io/org/appsec-playground/project/118ea22d-619e-4f08-ad5f-29e006593678?utm_source=github&utm_medium=referral&page=upgrade-pr * feat: add failon flags following failon support in snyk-delta (#68) * feat: add failon flags following failon support in snyk-delta * fix: require failon compatible snyk-delta version Co-authored-by: snyk-bot <[email protected]> Co-authored-by: Ilan Torbaty <[email protected]> Co-authored-by: IlanTSnyk <[email protected]> Co-authored-by: ghe <[email protected]> Co-authored-by: Lili Kastilio <[email protected]>
snyk-tech-services · Jul 14, 2022 · fa121c3 · fa121c3
1 parent fcb7507
commit fa121c3
Show file tree

Hide file tree

Showing 6 changed files with 318 additions and 50 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,6 +1,4 @@
 version: 2.1
-orbs:
-    snyk: snyk/[email protected]
 jobs:
     build-test-monitor:
         docker:
@@ -10,10 +8,6 @@ jobs:
             - run: npm install semantic-release @semantic-release/exec pkg --save-dev --legacy-peer-deps
             - run: npm install
             - run: npm test
-            - snyk/scan:
-                fail-on-issues: true
-                monitor-on-build: true
-                token-variable: SNYK_TOKEN
             - run: npx semantic-release
     build-test:
         docker:
@@ -22,10 +16,6 @@ jobs:
             - checkout
             - run: npm install
             - run: npm test
-            - snyk/scan:
-                fail-on-issues: true
-                monitor-on-build: false
-                token-variable: SNYK_TOKEN
             - run: npx tsc
     build-test-from-fork:
         docker:

diff --git a/.gitignore b/.gitignore
@@ -5,3 +5,4 @@ dist
 *.log
 .eslintcache
 snyk-prevent-gh-commit-status-*
+.dccache
diff --git a/README.md b/README.md
@@ -1,5 +1,8 @@
 [![Known Vulnerabilities](https://snyk.io/test/github/snyk-tech-services/snyk-prevent-gh-commit-status/badge.svg)](https://snyk.io/test/github/snyk-tech-services/snyk-prevent-gh-commit-status)
 [![CircleCI](https://circleci.com/gh/snyk-tech-services/snyk-prevent-gh-commit-status.svg?style=svg)](https://circleci.com/gh/snyk-tech-services/snyk-prevent-gh-commit-status)
+[![Not Maintained](https://img.shields.io/badge/Maintenance%20Level-Not%20Maintained-yellow.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)
+
+**This repository is not in active development and critical bug fixes only will be considered.**
 
 ## snyk-prevent-gh-commit-status
 Little module to POST commit status of a PR the result of [snyk-delta](https://github.com/snyk-tech-services/snyk-delta) executed in the CI.
@@ -23,23 +26,24 @@ Enhancements are coming up to improve visibility and clarity on the issues findi
 
 ```
 snyk-prevent-gh-commit-status-linux
- /path/to/snykTestResults.json 
- <GITHUB_TOKEN> 
- <GH_ORG_NAME> 
- <GH_REPO_NAME> 
+ /path/to/snykTestResults.json
+ <GITHUB_TOKEN>
+ <GH_ORG_NAME>
+ <GH_REPO_NAME>
  <GH_COMMIT_SHA1>
  <GH_PR_NUMBER>
  <LINK_TO_CI_JOB - optional>
  <keepHistory - optional - if set the tool will post a new comment at each run otherwise it will update the existing comment>
+ <failOn value - optional - if set, the commit status fails only if there are issues fixable by upgrade or patch or both.
 ```
 ### Snyk CLI in bash
 ```
 > snyk test --json-file-output=snykTestResults.json || true
-> ./snyk-prevent-gh-commit-status-linux 
-    ./snykTestResults.json 
-    <GITHUB_TOKEN> 
-    <GH_ORG_NAME> 
-    <GH_REPO_NAME> 
+> ./snyk-prevent-gh-commit-status-linux
+    ./snykTestResults.json
+    <GITHUB_TOKEN>
+    <GH_ORG_NAME>
+    <GH_REPO_NAME>
     <CIRCLE_SHA1>
     <GH_PR_NUMBER>
     <LINK_TO_CI_JOB - optional>
@@ -49,11 +53,11 @@ snyk-prevent-gh-commit-status-linux
 ### Snyk CLI in bash using npx
 ```
 > snyk test --json-file-output=snykTestResults.json || true
-> npx snyk-prevent-gh-commit-status 
-    ./snykTestResults.json 
-    <GITHUB_TOKEN> 
-    <GH_ORG_NAME> 
-    <GH_REPO_NAME> 
+> npx snyk-prevent-gh-commit-status
+    ./snykTestResults.json
+    <GITHUB_TOKEN>
+    <GH_ORG_NAME>
+    <GH_REPO_NAME>
     <CIRCLE_SHA1>
     <GH_PR_NUMBER>
     <LINK_TO_CI_JOB - optional>
@@ -84,11 +88,11 @@ export GH_API='https://ghe-hostname/apiendpoint'
 #### Additional option to enable snykDelta Debug
 ```
 export SNYK_DEBUG=true
-./snyk-prevent-gh-commit-status-linux 
-    ./snykTestResults.json 
-    <GITHUB_TOKEN> 
-    <GH_ORG_NAME> 
-    <GH_REPO_NAME> 
+./snyk-prevent-gh-commit-status-linux
+    ./snykTestResults.json
+    <GITHUB_TOKEN>
+    <GH_ORG_NAME>
+    <GH_REPO_NAME>
     <CIRCLE_SHA1>
     <GH_PR_NUMBER>
     <LINK_TO_CI_JOB - optional>
@@ -100,14 +104,18 @@ export SNYK_DEBUG=true
 In case of an unmonitored project, it is possible to force the snyk-delta result so snyk-prevent-gh-commit-status will not fail.
 If some vulnerabilities are found comment listing the vulnerabilities will still be the post on the PR.
 
+#### Fail on
+If set, the commit status fails only if there are issues fixable by upgrade or patch or both.
+See [Snyk CLI documentation](https://docs.snyk.io/snyk-cli/test-for-vulnerabilities/advanced-failing-of-builds-in-snyk-cli) and [Snyk-delta README usage section](https://github.com/snyk-tech-services/snyk-delta#usage).
+
 #### Debug
 use DEBUG=snyk* to enable snyk-prevent-gh-commit-status
 ```
-DEBUG=snyk* ./snyk-prevent-gh-commit-status-linux 
-    ./snykTestResults.json 
-    <GITHUB_TOKEN> 
-    <GH_ORG_NAME> 
-    <GH_REPO_NAME> 
+DEBUG=snyk* ./snyk-prevent-gh-commit-status-linux
+    ./snykTestResults.json
+    <GITHUB_TOKEN>
+    <GH_ORG_NAME>
+    <GH_REPO_NAME>
     <CIRCLE_SHA1>
     <GH_PR_NUMBER>
     <LINK_TO_CI_JOB - optional>
@@ -119,14 +127,14 @@ or to enable both snykDelta and snyk-prevent-gh-commit-status debug
 
 ```
 export SNYK_DEBUG=true
-DEBUG=snyk* ./snyk-prevent-gh-commit-status-linux 
-    ./snykTestResults.json 
-    <GITHUB_TOKEN> 
-    <GH_ORG_NAME> 
-    <GH_REPO_NAME> 
+DEBUG=snyk* ./snyk-prevent-gh-commit-status-linux
+    ./snykTestResults.json
+    <GITHUB_TOKEN>
+    <GH_ORG_NAME>
+    <GH_REPO_NAME>
     <CIRCLE_SHA1>
     <GH_PR_NUMBER>
     <LINK_TO_CI_JOB - optional>
     <keepHistory - optional>
     <setPassIfNoBaselineFlag - optional>
-```
+```
diff --git a/package.json b/package.json
@@ -36,11 +36,11 @@
   "homepage": "https://github.com/snyk-tech-services/snyk-prevent-gh-commit-status#readme",
   "dependencies": {
     "@snyk/configstore": "^3.2.0-rc1",
-    "axios": "^0.26.0",
+    "axios": "^0.27.2",
     "debug": "^4.1.1",
     "lodash": "^4.17.21",
-    "snyk-config": "^3.0.0",
-    "snyk-delta": "^1.5.6",
+    "snyk-delta": "^1.7.2",
+    "snyk-config": "^4.0.0",
     "source-map-support": "^0.5.16",
     "tslib": "^1.10.0"
   },

diff --git a/src/lib/index.ts b/src/lib/index.ts
@@ -26,23 +26,23 @@ const main = async () => {
     let keepHistory = false;
     let setPassIfNoBaselineFlag = false;
     let detailsLink = '';
+    let failOn = undefined
 
     const options = process.argv.slice(8)
 
     options.forEach(option => {
-      if (option === 'keepHistory')
-      {
+      if (option === 'keepHistory') {
         keepHistory = true
-      } else if (option === 'setPassIfNoBaselineFlag')
-      {
+      } else if (option === 'setPassIfNoBaselineFlag') {
         setPassIfNoBaselineFlag = true
-      } else
-      {
+      } else if(option === 'upgradable' || option === 'patchable' || option === 'all') {
+        failOn = option
+      } else {
         detailsLink = option || ''
       }
     })
 
-    debug(`running snyk-prevent-gh-commit-status with org: ${ghOrg} repo: ${ghRepo} commit: ${ghSha} PRNumber: ${ghPRNumber} keepHistory: ${keepHistory} setPassIfNoBaselineFlag: ${setPassIfNoBaselineFlag} detailsLink: ${detailsLink}`)
+    debug(`running snyk-prevent-gh-commit-status with org: ${ghOrg} repo: ${ghRepo} commit: ${ghSha} PRNumber: ${ghPRNumber} keepHistory: ${keepHistory} setPassIfNoBaselineFlag: ${setPassIfNoBaselineFlag} detailsLink: ${detailsLink} failOn: ${failOn}`)
 
     const snykDeltaDebug = process.env.SNYK_DEBUG ? true : false; // process.argv.slice(2)[6] == 'debug' ? true : false;
     const jsonResultsFromSnykTest = fs
@@ -69,6 +69,7 @@ const main = async () => {
         currentResults,
         snykDeltaDebug,
         setPassIfNoBaselineFlag,
+        failOn,
       )) as SnykDeltaOutput;
 
       const parsedCurrentResults = JSON.parse(currentResults);